Anonymization and Pseudonymization in Data Regulation: A Legal Analysis

Data Regulation Bart van der Sloot, Sascha van Schendel & C sar Augusto Fontanillo L pez

Commissioned report Dutch Government Anonymization and pseudonymization still viable in this day and age & if not, how should it be revised? Focus on legal doctrinal research concerning the Council of Europe and European Union Also studied 10 European countries and 10 non-European countries Interviews with 20 technical experts Workshops Edited book with invited contributions

Types of data Anonymized data Agregated data Pseudonimised data Sensitive data Metadata Main question: boundaries & do they still work?

Anonymous data Data Protection Directive The original proposal for a Data Protection Directive by the Commission contained the concept of depersonalisation , which signified modifying personal data in such a way that the information within it can no longer be associated with a specific individual or allow the identity of an individual to be determined without excessive effort in terms of staff, expenditure, and time. The Directive would not be applicable to those data. Depersonalisation is, in a certain sense, the predecessor of the notion anonymisation . The definition contained a contextual element, as emphasized by the explanatory memorandum: An item of data can be regarded as depersonalized even if it could theoretically be repersonalized with the help of disproportionate technical and financial resources and by the definition of depersonalization, which means modify personal data in such a way that the information they contain can no longer be associated with a specific individual or an individual capable of being determined except at the price of an excessive effort. CJEU, broad interpretation WP29, very broad interpretation

Anonymous data GDPR: Although relatively little has changed, some suggestions that were proposed but then rejected: First, there was a suggestion to include a rule that data could only be considered anonymous when it was demonstrable that they could no longer be linked to a person, thus placing a burden of proof on the data controller. Second, there was a proposal to exclude from the scope of personal data about a person s identity when concerning her professional capacity. Third, there were proposals to limit the scope of personal data, for example, restricting it to information through which a data subject can be unequivocally identified, directly or indirectly, by means available to the controller . Fourth, there were proposals to extend the data protection framework to data about deceased persons. Fifth, there was a proposal to forbid re-identification: Reidentification of personal data, for instance by using retained online traces for the creation of profiles of the individuals, breaches of pseudonym and identification of the data subjects should be forbidden.

Anonymous data Open questions from country studies: Obejective or subjective approach to anonymisation Time limit to question of reidentification Binary distinction (e.g. GDPR-TNPDD) or sliding scales Prohibition on reidentification Extent to which data about deseased persons and legal persons also falls under the protective scope Is anonymising data itself processing?

Anonymous data Discussions from the interviews: 1. On the one hand, from a technical point of view, the legal concept is conceived as lacking rigor and clear definition. This tension raises the question of whether anonymization is the correct term or the threshold that regulation should strive for. 2. On the other hand, in information theory, anonymity is much more strictly defined, meaning that anonymous data will in principle, be valueless. From a technical perspective, it is clear that complete anonymization is impossible to achieve given the legal standard set out by data protection law and the contextual nature of information. That is why experts generally propose to develop a framework that minimizes the risk of re- identification. In the same way that locking the doors and windows to one s home reduces the risk of unwanted entry but is not 100% safe, so too anonymization should be understood. It is also clear that the general availability of data makes it increasingly unlikely that anonymous datasets that are shared or made available stay anonymous. 3. From a technical point of view, aggregate or anonymized individual data can be valuable as well, for example, for predictive analytics or for constructing group profiles. Interviews with technical experts demonstrated that actors could derive attributes or information from anonymous datasets and use those without knowing the identity of the person. Thus, if the use of anonymous data is not without potential harm, this challenges the presumption that underlies the choice not to regulate anonymous data and can be a factor to consider in also subjecting anonymous data to regulation.

Aggregated data Article 10 of the CoE 1973 Resolution held: Statistical data should be released only in aggregate form and in such a way that it is impossible to link the information to a particular person. Though, in essence, it may almost be regarded a tautology, because statistical data are almost always aggregate data, this provision makes clear that if statistical information can be used to identify persons, the data protection regime applies. The explanatory report makes clear that one of the main purposes of the data bank is to provide managers with statistical information, which will enable them to make executive decisions. Thus, the production of statistical information from data banks is a common practice. Normally, statistical data are diffused in published form. However, computerised statistics may also be made available unpublished, for example, by transfer of tapes. Owing to the special facility of computers to trace correlations, the latter form of diffusion of statistical data may also create certain dangers to privacy. The word "released" covers all forms of diffusion. Resolution 1974: Statistical information should normally be released only in aggregate form. If person by person information is released, for example for scientific or research purposes, it should be reduced to a level where it is impossible to identify the individuals. Resolution 1974 also provided special status for statistical and aggregate data on two additional points. It made clear that it was possible to adopt special rules on the storage limitation principle if the use of the information for statistical, scientific, or historical purposes requires its conservation for an indefinite duration. In that case, precautions should be taken to ensure that the privacy of the individuals concerned will not be prejudiced. The explanatory memorandum makes clear that in that case, data should be preserved in such a way that the identities of the people on whom information is stored can only be ascertained by the specialists carrying out the research envisaged or, in the case of other people, after an adequate period of time has elapsed. This explanation seems to foreshadow concepts such as encryption and pseudonymization. DPD & GDPR: statistical data specifically mentioned Rules for statistical agencies; different standards for anonimity

Aggregated data Evolution from open government to re-use of public sector information Digitisation. Government documents used to be available in archives, libraries, or specially designated information centres. Nowadays, more and more documents are made available online. This has an important effect on what is called 'practical obscurity'. The fact that in the past one had to make the effort to go to the place where the documents were stored, request them, and view them meant that, in practice, only a limited number of people were able to access the information. Broadly speaking, these were journalists, historians, critical citizens closely following the government, and lay historians researching their family trees. By making the documents public on the Internet and not setting any access barriers, now anyone can view these documents with ease. In the pre-digital age, most documents were 'passively disclosed'; citizens, journalists, and others were given access to specific documents upon request. They already had to have a rough idea of what they were looking for, the disclosure of documents required their initiative, and the documents were usually made available for a certain period of time only. Currently, documents are increasingly disclosed actively; the government publishes documents not upon request, but on its own initiative. This means that there is no longer a specific reason for which a document is made available.Anyone may access them, and they are made available permanently The technical possibilities of searching through such documents have increased considerably. These include algorithms and AI/tools that can analyse texts for words, correlations, and topics. Whereas previously, it was primarily individuals that sought access to government documents, currently, it is tech companies that are best placed to scan and analyse the millions of governmental documents that appear on the internet every year. The European Union has encouraged the Member States to not only make data available to further open, transparent, and accountable government but also to facilitate the reuse of government data. The idea is that the government is sitting on 'a mountain of data', while its economic potential is not being exploited. Already in the year 2000, the total value of the European public sector information (PSI) was estimated to be around 68 billion euro annually. The data are only used for furthering public interests, while if the data were released for the commercial re-use, it is estimated that tens of billions in economic potential would be released. The EU, therefore, adopted a Directive on the re-use of public sector information in 2003, which,following amendments in 2013 and 2019,has become even more adamant that governments actively release public sector information to enable re-use by commercial parties. 1. 2. 3. 4.

Aggregated data Tensions between the two regimes: The purpose limitation principle, by which data cannot be processed for another purpose than for which they were collected (Article 5(1)(b) GDPR). The potential exceptions to this principle, including consent and the processing for scientific or historical research, will seldom apply to the reuse of public sector information for commercial purposes. The data minimisation principle, which specifies that data may only be processed insofar as this is strictly necessary for the purpose for which they were collected (Article 5(1)(c) GDPR). The purposes for which data have been collected will vary from case to case but will typically concern matters such as taxation, providing social benefits, and protecting public order. Making available the data for reuse is usually not strictly necessary in light of these public interests. The release of government information entails that there is no control over the purposes for which the information will be processed by third parties. Article 5(1)(f) GDPR states the principle of integrity and confidentiality, ensuring that unauthorised third parties cannot gain access to personal data. Publishing information online seems to run counter to this principle. The further re-use of the public sector information for a specific purpose, for example, the development of an app that can be downloaded in return for a small monthly payment and showing crime figures per city, district, and street, must have a legitimate processing basis. For the commercial re-use of 'ordinary' personal data, there will usually be only one ground that can be invoked, namely, the case referred to in Article 6 (1)(f) GDPR, where the interest in the re-use of the information for commercial purposes overrides the interests of the data subjects in the protection of their fundamental rights. Adetermination regarding the applicability of this provision will have to be made on a case-by-case basis, but it is clear that only in a limited number of cases can this ground be successfully invoked because the interests of citizens will weigh heavily, in particular, if data about children are being processed. In addition, the processing of 'special' or 'sensitive' personal data, such as those concerning race, religion, sexual orientation, or health is prohibited (Article 9 GDPR), and data relating to criminal convictions and offences can be only processed under the control of official authority or when the processing is authorised by Union or Member State law providing for appropriate safeguards for the rights and freedoms of data subjects (Article 10 GDPR). Save exceptional circumstances, the grounds mentioned in Article 9(2)GDPR for processing sensitive data will generally not apply to the reuse of public sector information for commercial purposes. 1. 2. 3. 4.

Aggregated data WP29 & EDPS balance the two regimes CJEU: recently more strict: Latvijas Republikas Saeima: Emphasis purpose limitation principle Luxembourg Business Registers: Emphasis original purpose for collecting data ECtHR: also critical E.g. L.B. Hungary

Aggregated data Country reports Large differences between the balance that they strike Technical interviews Sliding scales Composition problem

Aggregated data Five main tensions between the legal and the technical realm have emerged from this chapter: 1. Privacy and data protection regimes have traditionally focused on natural persons and identifiability. This choice is understandable given that, traditionally, there were, by and large, two types of data processing. Individual, specific data collection, for example, by law enforcement agencies on suspects or by companies on their customers, and statistical data processes, performed inter alia for developing models, maps, and fact-based governmental policies. It was the first type of data processing that privacy and data protection regimes focussed on. Since then, however, at least two things have changed. First, it is increasingly easy to infer specific individual information and sometimes sensitive personal data about natural persons from aggregate data, especially when combining a dataset with aggregate data with another data source. Second, data practice has moved from collecting individual data to focussing on aggregated data, group profiles, and longitudinal patterns. These are used for increasingly intensive and far-reaching decisions that affect people as part of a group or category. 2. In addition, with new developments in technology, it might become increasingly possible to reidentify individuals in aggregated data. 3. The same holds true for the fact that through evolving technological capacities, it is increasingly possible to arrive at personal data by combining two or more datasets that, in isolation, do not contain any personal data. 4. Statistics are used to generate knowledge by analysing existing data to make assumptions about individuals, for example, by mapping past experiences and establishing correlations between certain characteristics and particular outcomes or behaviour.120 AI and big data analytics allow people to be profiled in actionable ways without being personally ora individually identified.121 This means that even aggregated data that are not re-identified can be qualified as falling under the data protection framework. In essence, this development, as well as those discussed under points 2 and 3, especially when seen in the light of each other, means that more and more, aggregated or statistical data should be deemed to fall under the data protection framework per s , even if no identifying information is contained in it. 5. Finally, what makes these tensions more complex is that legislators and courts do not present a uniform view as to what extent collection and use of aggregate data should be regulated or to what extent aggregate data can also be personal data.122 For example, the European legislator leaves room for the Member States here to determine safeguards, and this space is used differently by different national legislators and courts. An important question to answer is what

Pseudonimised data Encryption emerged during the 1990ties, in EU policy documents In 2013, the Commission adopted a regulation on the measures applicable to the notification of personal data breaches under the e-Privacy Directive. In it, there was an exemption from informing data subjects of a data breach when the data were made unintelligible. Data shall be considered unintelligible if: it has been securely encrypted with a standardised algorithm, the key used to decrypt the data has not been compromised in any security breach, and the key used to decrypt the data has been generated so that it cannot be ascertained by available technological means by any person who is not authorised to access the key; or it has been replaced by its hashed value calculated with a standardised cryptographic keyed hash function, the key used to hash the data has not been compromised in any security breach, and the key used to hash the data has been generated in a way that it cannot be ascertained by available technological means by any person who is not authorised to access the key. WP29: focus on encryption GDPR: kind of complex intermediate between anonymisation and personal data. Both anonymisation light and technical security measure and risk minisation CJEU: adopts a subjective approach

Pseudonimised data Country reports: wide variety in scope and relevance, primarily relevant for sensitive data Technical interviews: no reason to see this as a seperate data category. It is seen as an intermediate category, sliding scale between anonymous and personal data

Pseudonimised data Five main tensions between the legal and the technical realm have emerged from this chapter: 1. The legal regime attributes a special status to pseudonymiseddata. When data are pseudonymised, a number of obligations do not apply or are applied less strict. Hence, pseudonymous data are conceived as an intermediate category between non-personal data and personal data, though it is clear that the GDPR applies to pseudonymous data. From a technical perspective, on the one hand, this choice is lauded.190 The black-and-white approach taken in the data protection framework between personal data (fully protected) and non-personal data (processing restrictions are dissuaded) does not align with the more fluid and contextual understanding of anonymity by technical experts. Thus, the idea of an intermediate category is well received. On the other hand, it is unclear from a technical perspective why pseudonymisation, as a technique, should have a preferred and privileged position in the data protection framework and why other privacy-enhancing techniques are not put on the same level. In addition, the precise delineation between anonymous and pseudonymous, and pseudonymous and non-pseudonymous personal data is not always clear from a technical perspective. 2. Pseudonymisationis a state or outcome in which the data cannot be attributed to an individual without the use of additional information; the process for doing so can be achieved with various techniques.191 The EU legislator equates encryption and pseudonymization on multiple occasions, or at least refers to pseudonymisationwhere it could have also referred to encryption, for example, in the context of Articles 25 and 40 GDPR. From a technical perspective, these are clearly distinct: pseudonymization aims at decreasing linkability, while encryption focuses on the confidentiality of information. 3. The GDPR is neutral in terms of which form of pseudonymisationor which pseudonymisationtechnique is used, but this choice may be challenged because some are clearly better than others.192 For example, hashing is agreed to be weak.193 Not only can pseudonymization easily be undone, but sometimes, it can also be used as a fa ade by actors who are either unwilling to delete identifiable information in their database or abuse it as an argument to avoid implementing further costly technical, technological, and organisationalmeasures. That is why there is discussion over which technologies should be used in different contexts; the legal regime provides no guidance on this point. 4. Often one pseudonymisationtechnique is not enough to prevent abuse.194 It can be argued that pseudonymization is more than just a technical measure; to achieve the result as defined under the GDPR, it also requires organisationalmeasures, such as the management of access rights for the personnel that has access to the key of the pseudonymised data.195 The question is whether the technical protection is solid enough to protect against the harm of identification to warrant a lighter regulatory regime for pseudonymous personal data. 5. While, under the GDPR, pseudonymized data are considered personal data, some propose that is not the case for other jurisdictions and that under most legal regimes beyond Europe, including the USA, pseudonymiseddata are not considered to be personal data.196 Nonetheless, there are non-EU jurisdictions, such as India, where pseudonymous data are seen as personal data. While under the GDPR it is clear that pseudonymous data are personal data, some scholars argue that the UK Information Commissioner s Office ( ICO ) takes a different stance towards pseudonymous data. The ICO stresses that pseudonymisationcan produce anonymiseddata on an individual-level basis, even though it may pose a greater privacy risk than aggregated anonymous data. The ICO uses the concept of pseudonymous data to be key-coded, referring merely to a de-identification technique for individual-level data. Therefore, it might be preferable to use the term de-identification rather than pseudonymization to distinguish it from the specific GDPR definition.197 However, on the other hand, in its newest guidance, the ICO very clearly states that it deems pseudonymous data to be personal data.198 This illustrates the uncertainty and unclarity that still shrouds the idea of pseudonymous data.199 When parties operate both in the EU and, for example, in the UK, they may have to take different technological and organisationalmeasures and/or may be faced with different legal interpretations over the same pseudonymisationtechnique.

Sensitive Data Article 1 of Resolution 1973 (on the private sector) specified that the information stored should be accurate and should be kept up to date. In general, information relating to the intimate private life of persons or information which might lead to unfair discrimination should not be recorded or, if recorded, should not be disseminated. Thus, both especially sensitive information (Article 8 ECHR) and information that may lead to discrimination (Article 14 ECHR) is provided special protection. The explanatory memorandum provides as an example of data concerning a person's intimate private life information about her behaviour at home, her sexual life and her opinions and as an example of data that entails a risk for unfair discrimination data about a person s health and past criminal record. 1974 also, and very strict. 1981 in article exhaustive, but in memorandum emphasised non-exhaustive nature DPD and GDPR exhaustive CJEU: medical data especially sensitive Reason: the processing of these data is per se sensitive

Sensitive Data Country reports: variety in terms of what is cosidered sensitive, e.g. also financial, socio-economic data and data about children Technical: not per s relevant and if relevant, it is a sliding scale + why not other data as well

Sensitive Data Four main tensions between the legal and the technical realm have emerged from this chapter: 1. Like the distinction between personal and non-personal data, the legal regime makes a binary distinction between non-sensitive personal data and sensitive personal data. Yet, there has been a shift in the legal definition of sensitive data. Initially, data were considered sensitive when processing could have a significant impact on the private life of a data subject or entailed a significant risk for discriminatory practices. Open-ended and non-exhaustive examples of data categories were provided. Over time, the legal regime has shifted towards defining concrete and exhaustive lists of types of data that are considered sensitive, despite the context or the processing operation concerned. Technical experts challenge the binary distinction between sensitive and non-sensitive personal data. They often rather approach each data processing operation on a case-by-case basis, taking a holistic understanding of the potential risk, the harm entailed when the risk materialises, and the possibilities to achieve the goals without the data concerned. On the basis of that assessment, the level of risk and sensitivity is determined, as well as the level of protection and security that is needed. 2. This also means, on a more abstract level, that from a technological perspective, it is not the data as such that is determinative of the sensitivity of the data processing operation, but (also) other aspects, such as the technologies used, the amount of data, the goal of the data processing operation and the application of the data processing operation. 3. If the current approach of providing an exhaustive list of sensitive personal data should be maintained, technical experts suggest several additional categories should be included, such as financial information, location data and metadata. 4. Like with the legal distinction between non-personal and personal data, technical experts point to the fact that sensitive information can often be derived from non-sensitive personal information. Thus, although the legal regime makes a binary division between the two, in reality, the lines are more fluid. 5. Finally, what complicates matters is that there is no uniformity from a legal perspective on the matter of inferences of sensitive personal information from personal or non- personal data. The former Article 29 Working Party,230 the European Data Protection Supervisor,231 the European Data Protection Board,232 and researchers233 have all concerned themselves with the question of whether inferences of personal data still constitute personal data. For sensitive data, inferring information is a critical issue. If sensitive information can be inferred from non-sensitive personal data, this means that it is more difficult to work with a legal binary approach to sensitive and non-sensitive data. Article 29 Working Party has pronounced itself about this issue by differentiating between 'provided' and 'observed' data and 'derived' and 'inferred' data.234 While provided and observed data refer to data actively and knowingly provided by the data subject or observed from the activity of the data subject at the event level, derived and inferred data refer to data that is created by the controller on the basis of provided or observed data. According to an early opinion of Article 29 Working Party, only personal provided or observed data form part of the right to portability, while derived or inferred data 'will typically not' fall within the scope of the right to data portability. Although no explicit pronouncement was made on the nature of derived or inferred data, the fact that such kind of derivation or inferences were not included in the right to data portability implies a distancing effect toward the controller's personal data protection obligations. This line of thought appears to be, however, reversed in a later opinion on automated individual decision-making and profiling,235 where profiling is defined as the process of 'creating derived or inferred data about individuals' which constitutes 'new personal data that has not been provided directly by the data subjects themselves' (emphasis added). In this line, Article 29 Working Party defends the conversion of ordinary personal data into sensitive data where profiling 'create[s] special categor[ies] [of] data by inference from data which is not special category data in its own right but becomes so when combined with other data . Hence, it appears that Article 29 Working Party settled the matter of what the creation of derived or inferred data constitutes in its more recent pronouncements, but discussions over this matter are still ongoing.

Metadata Classic distinction privacy regime between content-meta data E-Privacy regime: location and traffic data, mainly for billing purposes Increased role metadata internet providers & LEA s ECtHR has laid down a high number of standards for meta/communications data regime

Metadata Under the legal regime, content data are protected differently than metadata. In principle, intercepting content communications data always leads to an interference of the right to privacy, while traditionally, the collection of metadata does not. Acknowledging that metadata plays an increasingly important role in the data practices of both public and private organisations, both the CJEU and the ECtHR have underlined that the collection of metadata cannot be left unregulated. The CJEU struck down the Data Retention Directive; the ECtHR has laid down a complex web of rules and principles for processing metadata by intelligence agencies. Still, the rules that apply to content communications data and metadata are distinctly different and, apart from a small number of rules that are contained in the Data Governance Act that is now under discussion, no regulatory regime exists for metadata. Still, the GDPR would apply when metadata is to be considered personal data. Technological developments have enabled organisations to infer the content of communications from metadata and to derive from the metadata sensitive personal data, that was not explicit in either the content or the metadata, such as personality profiles or other sensitive characteristics. That is why from a technical perspective, the distinction between content communications data and metadata is increasingly redundant. In addition, longitudinal profiles based on metadata can be used to make increasingly impactful decisions about groups. To close the gap between legal regulation and technical reality, several proposals have been put forward. For example, individuals right to control their metadata could be strengthened. Alternatively, technical solutions may be found to ensure better privacy protection in metadata; metadata may even be used to ensure GDPR compliance. Finally, it has been suggested to create a more comprehensive framework for processing metadata, which differentiates between different actors gathering and using metadata, the purposes for which they do so, and the quantity of metadata analysed.

Overarching concluisons The categorisationapproach, that of having several strictly separated types of data, each with their own scope of protection, is increasingly criticized. Broadly speaking, three arguments can be put forward. First, it is argued that working with well-defined and delimited definitions of different types of data only works if the status of data is relatively stable, if a 'datum' falls into one category in a relatively stable way. This is exactly what is increasingly less so. The nature of the data in Big Data processes is not stable, but volatile. A dataset containing ordinary personal data can be linked to and enriched with another dataset so as to derive sensitive data; the data can then be aggregated or stripped of identifiers and become non- personal, aggregated, or anonymous data; subsequently, the data can be deanonymized or integrated into another dataset in order to create personal data. All this can happen in a split second. The question is, therefore, whether it makes sense to work with well-defined categories if the same 'datum' or dataset can literally fall into a different category from one second to the next and into still another the very next second. Second, it is also increasingly difficult to determine the status of data precisely. As the Working Party 29 already stated: 'the assessment of whether the data allow identification of an individual, and whether the information can be considered as anonymous or not depends on the circumstances, and a case-bycaseanalysis should be carried out with particular reference to the extent that the means are likely reasonably to be used for identification'.4 This refers to the phrase in the GDPR, holding that in order to determine whether a datum is to be considered personal , account should be had of the means that can reasonably be expected to be used for identification. Therefore, in order to determine the current status of a datum or dataset, the expected future status of the data must be taken into account. Given the general availability of technologies and the minimal investment required, it is increasingly likely that when a database is shared or otherwise made available, there will be a party who will combine it with other data, enrich it with data scraped from the internet, or merge it into an existing dataset. It is thus increasingly likely that if an anonymiseddataset is made public, there will be a party that will deanonymize it or combine it with other data to create personal profiles; that if a set of personal data is shared, there will be a party that will use that data to create a dataset containing sensitive personal data; and so on. On the other hand, there will be other parties who have access to that data but will not engage in such activities; parties who will not use the data, use it as it is provided, or even de-identify a database containing personal data. Who will do what is not clear in advance. The legal category to which the data belongs is therefore no longer a quality of the data itself, but a product of a data controller's efforts and investments. Third, the question is whether the distinction made between different categories of data is still relevant. The underlying rationale is that the processing of personal data has an effect on natural persons, while the processing of non-personal data does not and that the processing of sensitive personal data may have very significant consequences (greater than the processing of 'ordinary' personal data normally has), so that the latter are subject to the most stringent regime, personal data fall under the 'normal' protection regime, and the processing of non-personal data is not subject to any restrictions. Pseudonymisationdoes not ensure the full protection of individuals, but it does greatly reduce the number of people and organisationsthat can link data to specific individuals, which is why pseudonymous data are put in an intermediate category of protection. The question is to what extent this rationale is still tenable in the 21st century. Not only can information about the content of communication be distilled from metadata, can identifying data be inferred by combining two datasets holding no personal data, etc., modern data processing on the basis of aggregated data, for example, can also have very large individual and social consequences. Profiling, by definition, targets groups rather than individuals. The consequences of profiling can be negative for groups, without the damage being directly relatable to individuals, such as when the police, using predictive policing, decides to patrol certain neighbourhoodsmore often than others. The possible arrests made in these neighbourhoodsmay all be justified in and by themselves, while the general problem of stigmatisationof deprived neighbourhoodsand blind spots on the part of the police with regard to 'better' neighbourhoodsmay be significant. The same applies to profiles used in smart cities. The idea that the more sensitive the data are and the more directly they can be linked to a person, the more strictly its processing should be regulated, can therefore be questioned.

Different scenarios for the GDPR: 1. Do we keep the framework as it is? 2. Invest in more precise definitions? 3. Make it more contextual? 4. Change the categories of data vis a vis regulation? 5. Remove the idea of data categories?